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(57) ABSTRACT 

One embodiment of the present invention provides a system 
that facilitates sharing authentication information between a 
plurality of servers within a distributed computing system. 
Upon receiving a communication from a client at a first 
server, the system determines whether the client is known to 
the first server. If the client is unknown to the first server, the 
first server generates a first identifier for the client, and then 
communicates this first identifier to the client. The first 
server also directs the client to communicate the first iden- 
tifier to the authentication server, so that the authentication 
server can attempt to associate the first identifier with a 
known client. 
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METHOD AND APPARATUS FOR SHARING 
AUTHENTICATION INFORMATION BETWEEN 
MULTIPLE SERVERS 

BACKGROUND 
[0001] 1. Field of the Invention 

[0002] The present invention relates to providing security 
in distributed computing systems. More specifically, the 
present invention relates lo a method and an* apparatus that 
facilitates sharing authentication information between mul- 
tiple independent servers within a distributed computing 
system. 

[0003] 2. Related Art 

[0004] A typical Internet user visits a web site multiple 
times in order to gather information or perform transactions. 
During this process, it is often useful for the web site to be 
able to identify the user, so that the web site can remember 
what the user did during the previous visit. This allows the 
web site to tailor web pages for the user, 

[0005] In order to facilitate identification of the user, a web 
server often sends a special message called a "cookie" to the 
web browser. The browser stores this cookie in a file called 
"cookie.txt". Each time the browser subsequently requests a 
web page from the server, the browser sends the cookie back 
to the server along with the request. By examining the 
cookie, the web site can identify the user, which enables the 
web site to look up information on the user and to prepare 
web pages that are customized for the user. 




J / identify^ user to"a website located in a first domain will not 
be presented to another web site located in a second domain. 
' This makes it hard for a set of related web sites to share 



) information regarding a web user. Hence, the web user may 
I have to re-enter information, such as a home address or a 
1 password, for each web site the user visits, even if the web 
^isites are related to each other. 

[0007] In order to alleviate this problem, some organiza- 
tions have changed the name of their web sites to all reside 
under one domain name. For example, "domainl.com" and 
"domain2.com" can be changed to 
"domainl.maindomain.com" and 
"domain2.maindomain.com", respectively. Unfortuantely, 
locating a set of related web sites under a single domain can 

! decrease the visibility of the web sites to search engines that 

| attempt to locate web sites containing specific information. 

i This can lead to less traffic through the set of related web 

i sites. 

^ [0008] Hence, what is needed is a method and an appa- 
ratus for using cookie information to identify a web user 
across multiple web sites located under different domain 
names. 

SUMMARY 

[0009] One embodiment of the present invention provides 
a system that facilitates sharing authentication information 
between a plurality of servers within a distributed computing 
system. Upon receiving a communication from a client at a 
first server, the system determines whether the client is 
known to the first server. If the client is unknown to the first 



server, the first server generates a first identifier for the 
client, and then communicates this first identifier to the 
client. The first server also directs the client to communicate 
the first identifier to the authentication server, so that the 
authentication server can attempt to associate the first iden- 
tifier with a known client. 

[0010] In one embodiment of the present invention, if the 
client is known to the authentication server, the authentica- 
tion server associates the first identifier with a pre-existing 
identifier for the client. 

[0011] In one embodiment of the present invention, if the 
client is unknown to the authentication server, the authen- 
tication server causes the client to store a cookie for the 
authentication server. This cookie contains an identifier for 
the client, so that the authentication server can subsequently 
identify the client by examining the cookie. 

[0012] In one embodiment of the present invention, the 
authentication server determines whether or not the client is 
known to the authentication server by attempting to examine 
a cookie presented by the client to the authentication server. 

[0013] In one embodiment of the present invention, if the 
client is unknown to the first server, the system additionally 
causes the client to store a cookie for the first server, so that 
the client can subsequently present the cookie to the first 
server in order to identify the client to the first server. 

[0014] In one embodiment of the present invention, upon 
subsequently receiving a username and a password from the 
client, the system attempts to authenticate the client based on 
the username and the password. If the client is successfully 
authenticated, the system associates the username with the 
client. 

[0015] In one embodiment of the present invention, the 
system determines whether the client is known to the first 
server by looking for a cookie presented by the client to the 
first server. If such a cookie is presented by the client, the 
system determines if the cookie contains an identifier that is 
known to the first server. 

BRIEF DESCRIPTION OF THE FIGURES 

[0016] FIG. 1 illustrates a distributed computing system 
in accordance with an embodiment of the present invention. 

[0017] FIG. 2 is a flow chart illustrating the process of 
directing a client to an authentication server in accordance 
with an embodiment of the present invention. 

[0018] FIG. 3 is a flow chart illustrating the process of 
associating a client with an authentication server cookie in 
accordance with an embodiment of the present invention. 

[0019] FIG. 4 is a flow chart illustrating the process of 
authenticating a user at a server in accordance with an 
embodiment of the present invention. 

DETAILED DESCRIPTION 

[0020] The following description is presented to enable 
any person skilled in the art to make and use the invention, 
and is provided in the context of a particular application and 
its requirements. Various modifications to the disclosed 
embodiments will be readily apparent to those skilled in the 
art, and the general principles defined herein may be applied 
to other embodiments and applications without departing 
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from the spirit and scope of the present invention. Thus, the 
present invention is not intended to be limited to the embodi- 
ments shown, but is to be accorded the widest scope 
consistent with the principles and features disclosed herein. 

[0021] The data structures and code described in this 
detailed description are typically stored on a computer 
readable storage medium, which may be any device or 
medium that can store code and/or data for use by a 
computer system. This includes, but is not limited to, 
magnetic and optical storage devices such as disk drives, 
magnetic tape, CDs (compact discs) and DVDs (digital 
versatile discs or digital video discs), and computer instruc- 
tion signals embodied in a transmission medium (with or 
without a carrier wave upon which the signals are modu- 
lated). For example, the transmission medium may include 
a communications network, such as the Internet. 

[0022] Distributed Computing System 

[0023] FIG. 1 illustrates a distributed computing system 
100 in accordance with an embodiment of the present 
invention. Distributed computing system 100 includes a 
client 102 coupled to servers 110-111 and authentication 
server 112 through network 103. 

[0024] Network 103 can generally include any type of 
wire or wireless communication channel capable of coupling 
together computing nodes. This includes, but is not limited 
to, a local area network, a wide area network, or a combi- 
nation of networks. In one embodiment of the present 
invention, network 103 includes the Internet. 

[0025] Client 102, servers 110-111 and authentication 
server 112 are computer systems that can generally include 
any type of computer system, including, but not limited to, 
a computer system based on a microprocessor, a mainframe 
computer, a digital signal processor, a portable computing 
device, a personal organizer, a device controller, and a 
computational engine within an appliance. 

[0026] More specifically, servers 110-111 and authentica- 
tion server 112 are servers that can generally include any 
nodes on network 103 including a mechanism for servicing 
requests from client 102 for computational and/or data 
storage resources. Servers 110-112 contains web sites 130- 
132, respectively, which contain inter-linked pages of tex- 
tual and graphical information that can be navigated through 
by using web browser 105 located on client 102. 

[Q02_7]_^Se7vel^llO-112 are in communication with data- 
- base 114, which can be used to share data between servers 
110-112. Database 114 can include any type of system for 
( slonng data jnnon-volatile storagerThis'in^lulIe^rJufisnol 
limited to, systems based upon magnetic, optical, and mag- 
neto-optical storage devices, as well as storage devices 
| based on flash y memory and/or battery-backed up memory. 

<j alternatively~a~^ntralized-databa^ 
^ computing:node^ 

[0028] Client 102 can generally include any node on 
network 103 including computational capability and includ- 
ing a mechanism for communicating across the network. 
Client 102 contains web browser 105, which can generally 
include any type of web browser capable of viewing a web 
site, such as the INTERNET EXPLORER™ browser dis- 
tributed by the Microsoft Corporation of Redmond, Wash. 



[0029] Web browser 105 makes use of a number of 
cookies 106-108 stored within database 104. Database 104 
can include any type of system for storing data in non- 
volatile storage. This includes, but is not limited to, systems 
based upon magnetic, optical, and magneto-optical storage 
devices, as well as storage devices based on flash memory 
and/or battery-backed up, memory. !n one.embodimentof the_ 
pjesentjnvention^database 104 is a file system and cookies 
106-108 are_contamed-withm^individuaLfiles^in. the_file 
system-Note that cookies 106, 107 and 108 contain identi- 
fiers 122, 124 and 128, respectively, which can be used to 
identify client 102 as the owner of cookies 106-108. 

[0030] Process of Directing a Client to an Authentication 
Server 

[0031] FIG. 2 is a flow chart illustrating the process of 
directing client 102 to authentication server 112 in accor- 
dance with an embodiment of the present invention. The 
system starts when client 102 first connects to server 110 
(box 202). Next, server 110 looks for a cookie presented by 
web browser 105 to web site 130 on server 110 (box 204). 
If this cookie exists, server 110 determines if an identifier 
embedded within the cookie is known to server 110 (box 
206). For example, if client 102 presents cookie 106 to 
server 110, server 110 checks to see if identifier (PID) 122 
is known to server 110. If so, client 102 is known to server 
110, and the process completes. 

[0032] If at box 208, the identifier is not known to server 
110, or if at box 2_05,.no,cookie_was Lp«isejn^^by_client ,102 
to server 110 , the^sysjem^generates an authentication iden- 
tifier AID120 and identifier (PIDf 122~(6bY21dfSr-clieiif 
102/and sendTAID 120 and PID 122 to client 102 (box 212). 
Server 110 also directs client 102 to authentication server 
112 (box 213), This is accomplished by communicating a 
script tag to client 102 that has its source in authentication 
server 112. 



[0033]_/At this point, client 102 generates a^bokie~106 for 
^seryejJ^andxmbeds.PID-122^ 
Client 102 then sends AID 120 to authentication server 110 
as is described in more detail below with reference to FIG. 
3. 

[0034] Process of Associating a Client with and Authen- 
tication Server Cookie 

[0035] FIG. 3 is a flow chart illustrating the process of 
associating client 102 with an authentication server cookie 
107 in accord ance with an embodiment of the presents 
invention. JThe system starts when client 102 sends A1D120__ 
to auth entic ation server 1 12 (box 302). In one embodiment 
of the present invention, tfiisTakeTplace when client 102 
retrieves a script for authentication server 112 that was 
communicated to client 102 by server 110. 

[0036] Next, authentication server 112 determines if a 
cookie for authentication server 112 is sent to authentication 
server 112 along with AID 120 (box 303). If so, authenti- 
cation server 112 determines if the cookie contains a known 
authentication server identifier (APID) 124. For example, 
authentication server 112 can check APID 124 in cookie 107 
that is presented to authentication server 112 by client 102 
along with AID 120. If cookie 107 contains a known APID 
124, then client 102 is known to authentication server 112. 
At this point, authentication server 112 links APID 124 for 
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client 102 with AID 120 (box 310). This allows server 110 
to know the identity of client 102. 

[0037] If al box 303, no cookie is sent along with AID 120, 
or if at box 304, APID 124 is not known to authentication 
server 112, authentication server 112 generates a new APID 
124 for client 102 (box 306). Next, authentication server 112 
sends the new APID 124 to client 102 (box 308). This allows 
client 102 to generate a new cookie 107 for authentication 
server 112 containing APID 124 (box 309). This causes 
client 102 to send cookie 107 to authentication server 112 
along with subsequent page requests. At this point, authen- 
tication server 112 links APID 124 for client 102 with AID 
120 (box 310), which allows server 110 to know the identity 
of client 102. 

[0038] Process of Authenticating a User at a Server 

[0039] FIG. 4 is a flow chart illustrating the process of 
authenticating a user at a server 110 in accordance with an 
embodiment of the present invention. The system starts 
when server 110 receives a username and a password from 
a user of client 102 (box 402). Note that client 102 has been 
previously identified through the process outlined in FIGS. 
2 and 3 above. Server 110 then authenticates the username 
and password (box 404). If this authentication is successful, 
server 110 links the username with the APID 124 of client 
102 (box 406). 

[0040] At this point, the username is associated with APID 
124, which is presented by client 102 to authentication 
server 112 in subsequent communications with authentica- 
tion server 112. 

[0041] If client 102 subsequently communicates with a 
server 1U, that does not know about client 102, server 111 
will direct client 102 back to authentication server 112, 
which will create a link to the known APID 124 for client 
102, and will thereby create a link to the username. At this 
point, server 111 knows that client 102 is authenticated 
without requiring the user to enter the username and pass- 
word again. 

[0042] Note that the authentication process outlined in 
FIG. 4 can take place at any server in distributed computing 
system 100 which knows about client 102, including server 
110, server 111 and authentication server 112. 

[0043] The foregoing descriptions of embodiments of the 
present invention have been presented for purposes of 
illustration and description only. They are not intended to be 
exhaustive or to limit the present invention to the forms 
disclosed. Accordingly, many modifications and variations 
will be apparent to practitioners skilled in the art. Addition- 
ally, the above disclosure is not intended to limit the present 
invention. The scope of the present invention is defined by 
the appended claims. 



What is claimed is: 

1. A method that facilitates sharing authentication infor- 
mation between a plurality of servers within a distributed 
computing system, wherein the plurality of servers includes 
a first server and an authentication server, the method 
comprising: 

receiving a communication from a client at the first 
server; 



determining whether the client is known to the first server; 
and 

if the client is unknown to the first server, 

generating a first identifier for the client, 

communicating the first identifier to the client, and 

directing the client to communicate the first identifier to 
the authentication server, so that the authentication 
server can attempt to associate the first identifier with 
a known client. 

2. The method of claim 1, 

wherein if the client is known to the authentication server, 
the authentication server associates the first identifier 
with a pre-existing identifier for the client; 

wherein if the client is unknown to the authentication 
server, the authentication server causes the client to 
store a cookie for the authentication server, wherein the 
cookie contains an identifier for the client, so that the 
authentication server can subsequently identify the 
client by examining the cookie. 

3. The method of claim 1, wherein the authentication 
server determines whether or not the client is known to the 
authentication server by attempting to examine a cookie 
presented by the client to the authentication server. 

4. The method of claim 1, wherein if the client is unknown 
to the first server, the method additionally comprises causing 
the client to store a cookie for the first server, so that the 
client can subsequently present the cookie to the first server 
in order to identify the client to the first server. 

5. The method of claim 1, further comprising: 

receiving a username and a password from the client; 

attempting to authenticate the client based on the user- 
name and the password; and 

if the client authenticates, associating the username with 
the client. 

6. The method of claim 1, wherein determining whether 
the client is known to the first server involves: 

looking for a cookie presented by the client to the first 
server; and 

if such a cookie is presented by the client, determining if 
the cookie contains an identifier that is known to the 
first server. 

7. A method that facilitates sharing authentication infor- 
mation between a plurality of servers within a distributed 
computing system, wherein the plurality of servers includes 
a first server and an authentication server, the method 
comprising: 

receiving a communication from a client at the authenti- 
cation server, wherein the communication includes a 
first identifier generated by the first server for the client; 

determining whether the client is known to the authenti- 
cation server; 

if the client is known to the authentication server, asso- 
ciating the first identifier with a pre-existing identifier 
for the client; and 

if the client is unknown to the authentication server, 
causing the client to store a cookie for the authentica- 
tion server, wherein the cookie contains an identifier for 
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the client, so that the authentication server can subse- 
quently identify the client by examining the cookie. 

8. The method of claim 7, wherein the authentication 
server determines whether or not the client is known to the 
authentication server by attempting to examine a cookie 
presented by the client to the authentication server 

9. The method of claim 7, further comprising: 

receiving a username and a password from the client; 

attempting to authenticate the client based on the user- 
name and the password; and 

if the client authenticates, associating the username with 
the client. 

10. A computer-readable storage medium storing instruc- 
tions that when executed by a computer cause the computer 
to perform a method that facilitates sharing authentication 
information between a plurality of servers within a distrib- 
uted computing system, wherein the plurality of servers 
includes a first server and an authentication server, the 
method comprising: 

receiving a communication from a client at the first 
server; 

determining whether the client is known to the first server; 
and 

if the client is unknown to the first server, 

generating a first identifier for the client, 

communicating the first identifier to the client, and 

directing the client to communicate the first identifier to 
the authentication server, so that the authentication 
server can attempt to associate the first identifier with 
a known client. 

11. The computer-readable storage medium of claim 10, 

wherein if the client is known to the authentication server, 
the authentication server associates the first identifier 
with a pre-existing identifier for the client; 

wherein if the client is unknown to the authentication 
server, the authentication server causes the client to 
store a cookie for the authentication server, wherein the 
cookie contains an identifier for the client, so that the 
authentication server can subsequently identify the 
client by examining the cookie. 

12. The computer-readable storage medium of claim 10, 
wherein the authentication server determines whether or not 
the client is known to the authentication server by attempt- 
ing to examine a cookie presented by the client to the 
authentication server. 

13. The computer-readable storage medium of claim 10, 
wherein if the client is unknown to the first server, the 
method additionally comprises causing the client to store a 
cookie for the first server, so that the client can subsequently 
present the cookie to the first server in order to identify the 
client to the first server. 

14. The computer-readable storage medium of claim 10, 
wherein the method further comprises: 

receiving a username and a password from the client; 

attempting to authenticate the client based on the user- 
name and the password; and 
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if the client authenticates, associating the username with 
the client. 

15. The computer-readable storage medium of claim 10, 
wherein determining whether the client is known to the first 
server involves: 

looking for a cookie presented by the client to the first 
server; and 

if such a cookie is presented by the client, determining if 
the cookie contains an identifier that is known to the 
first server. 

16. A computer- readable storage medium storing instruc- 
tions that when executed by a computer cause the computer 
to perform a method that facilitates sharing authentication 
information between a plurality of servers within a distrib- 
uted computing system, wherein the plurality of servers 
includes a first server and an authentication server, the 
method comprising: 

receiving a communication from a client at the authenti- 
cation server, wherein the communication includes a 
first identifier generated by the first server for the client; 

determining whether the client is known to the authenti- 
cation server; 

if the client is known to the authentication server, asso- 
ciating the first identifier with a pre-existing identifier 
for the client; and 

if the client is unknown to the authentication server, 
causing the client to store a cookie for the authentica- 
tion server, wherein the cookie contains an identifier for 
the client, so that the authentication server can subse- 
quently identify the client by examining the cookie. 

17. The computer-readable storage medium of claim 16, 
wherein the authentication server determines whether or not 
the client is known to the authentication server by attempt- 
ing to examine a cookie presented by the client to the 
authentication server. 

18. The computer- readable storage medium of claim 16, 
wherein the method further comprises: 

receiving a username and a password from the client at the 
first server; 

attempting to authenticate the client based on the user- 
name and the password; and 

if the client authenticates, associating the username with 
the client. 

19. An apparatus that facilitates sharing authentication 
information between a plurality of servers within a distrib- 
uted computing system, the apparatus comprising: 

a first server within the plurality of servers; 

a receiving mechanism within the first server that is 
configured to receive a communication from a client; 
and 

an identification mechanism within the first server that is 
configured to determine whether the client is known to 
the first server; 

wherein if the client is unknown to the first server, the 
identification mechanism is configured to, 

generate a first identifier for the client, 

communicate the first identifier to the client, and to 
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direct the client to communicate the first identifier to 
the authentication server, so that the authentication 
server can attempt to associate the first identifier with 
a known client. 

20. The apparatus of claim 19, further comprising 

an authentication server within the plurality of servers; 

an association mechanism within the authentication 
server; 

wherein if the client is known to the authentication server, 
. the association mechanism is configured to associate 

the first identifier with a pre-existing identifier for the 

client; 

wherein if the client is unknown to the authentication 
server, the association mechanism is configured to 
cause the client to store a cookie for the authentication 
server, wherein the cookie contains an identifier for the 
client, so that the authentication server can subse- 
quently identify the client by examining the cookie. 

21. The apparatus of claim 20, wherein the authentication 
server additionally includes an identification mechanism 
that is configured to determine whether or not the client is 
known to the authentication server by attempting to examine 
a cookie presented by the client to the authentication server. 

22. The apparatus of claim 19, wherein if the client is 
unknown to the first server, the identification mechanism is 
additionally configured to cause the client to store a cookie 
for the first server, so that the client can subsequently present 
the cookie to the first server in order to identify the client to 
the first server. 

23. The apparatus of claim 19, further comprising an 
authentication mechanism that is configured to: 

receive a username and a password from the client; 

attempt to authenticate the client based on the username 
and the password; and to 

associate the username with the client if the client authen- 
ticates. 

24. The apparatus of claim 19, wherein the identification 
mechanism is configured to: 

look for a cookie presented by the client to the first server; 
and 



if such a cookie is presented by the client, to determine if 
the cookie contains an identifier that is known to the 
first server. 

25. An apparatus that facilitates sharing authentication 
information between a plurality of servers within a distrib- 
uted computing system, the apparatus comprising: 

an authentication server within the plurality of servers; 

a receiving mechanism within the authentication server 
that is configured to receive a communication from a 
client, wherein the communication includes a first 
identifier generated by a first server within the plurality 
of servers for the client; 

an identification mechanism within the authentication 
server that is configured to determine whether the client 
is known to the authentication server; and 

an association mechanism within the authentication 
server; 

wherein if the client is known to the authentication server, 
the association mechanism is configured to associate 
the first identifier with a pre-existing identifier for the 
client; 

wherein if the client is unknown to the authentication 
server, the association mechanism is configured to 
cause the client to store a cookie for the authentication 
server, wherein the cookie contains an identifier for the 
client, so that the authentication server can subse- 
quently identify the client by examining the cookie. 

26. The apparatus of claim 25, wherein the identification 
mechanism is configured to determine whether or not the 
client is known to the authentication server by attempting to 
examine a cookie presented by the client to the authentica- 
tion server. 

27. The apparatus of claim 25, further comprising an 
authentication mechanism that is configured to: 

receive a username and a password from the client; 

attempt to authenticate the client based on the username 
and the password; and to 

associate the username with the client if the client authen- 
ticates. 

* * * * * 
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